android: binder: fix dangling pointer comparison

If /dev/binder is opened and the opener process then e.g. calls execve, proc->vma_vm_mm will still point to the location of the now-freed mm_struct. If the process then calls ioctl(binder_fd, ...), the dangling proc->vma_vm_mm pointer will be compared to current->mm. Let the binder take a reference to the mm_struct to avoid this. v2: use the right refcounter Fixes: a906d69 ("android: binder: Sanity check at binder ioctl") Signed-off-by: Jann Horn <[email protected]> Reviewed-by: Chen Feng <[email protected]> Cc: stable <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
jledet · Aug 15, 2016 · 7b142d8 · 7b142d8
1 parent 7ef9153
commit 7b142d8
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
@@ -2962,6 +2962,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
 		return -ENOMEM;
 	get_task_struct(current);
 	proc->tsk = current;
+	atomic_inc(&current->mm->mm_count);
 	proc->vma_vm_mm = current->mm;
 	INIT_LIST_HEAD(&proc->todo);
 	init_waitqueue_head(&proc->wait);
@@ -3167,6 +3168,7 @@ static void binder_deferred_release(struct binder_proc *proc)
 		vfree(proc->buffer);
 	}
 
+	mmdrop(proc->vma_vm_mm);
 	put_task_struct(proc->tsk);
 
 	binder_debug(BINDER_DEBUG_OPEN_CLOSE,